The scope of a security risk assessment can seem vague or endless, generating doubt about its worth when there are more prescriptive measures available in the industry. However, the process can save businesses money by focusing scarce resources on the most significant risks. To better understand how risk assessments achieve this and why they are essential to the security design process, we must examine how critical assets are identified, the different methods of protecting these assets, the function of the likelihood and consequence register, and how the worth of a risk assessment is proven.
Which assets need to be secured?
A security risk assessment must be able to identify the critical assets of a business or property. What is the item that is vulnerable? What are its risks and vulnerabilities? This must be the starting point, as it informs the rest of the design process. Assets form three primary types: people, valuable commodities and operational necessity.
If the asset is people, for example, then the vulnerability is that they can be attacked. Diplomats, high-ranking officials or heads of government may visit the site on a regular basis. This needs to be taken into account, though the primary concern should be ensuring the safety of the general day-to-day occupants.
Critical systems are an operational necessity asset. These are systems that require restricted access due to the system inside presenting a threat to unauthorised entry. An electrical switch room or cleaner’s cupboard are hazardous as high-voltage electricity can leap from the conductors, while materials used to treat pools are potentially lethal when ingested. The unauthorised person may not realise the risk they are taking by entering this area.
Therefore security is fundamental in order to protect them and the business. IT systems are also deemed as a highly vulnerable asset. An unauthorised person gaining access to an IT cabinet could result in cables being removed and the entire system crashing. This would be timely, labour-intensive and costly to rebuild.
There are also utilities to be considered. Water systems are vulnerable to malicious contamination, which could affect an entire town’s water supply. Water is an essential commodity in the Middle East, for example, where all buildings have large water reserves built into the sublayer in order to handle sustained water outages. In this case, the water supply needs to be protected, as does the water itself from being contaminated.
Other potential assets include systems, business information, company reputation and site reputation. Each of these critical assets need to be understood for their function, how far-reaching the consequences of their damage is and how they affect the reputation of the building (and associated managing agent or business owner) within which they exist.
A mall is a good example of a building that requires the continued entrance and exit of people to be profitable. If its reputation was to be damaged by a poorly handled attack, it could permanently cease to operate as customers no longer entrust it with their safety.
Once all critical assets have been established, their vulnerabilities are considered. IT, for example, comprises delicate technology that can easily be physically damaged or – if in the form of a camera or detector, for example – can be removed. Network security is vital, as a cyberattack could affect a source that controls a function important to the building.
How are critical assets protected?
To begin the process of securing critical assets, the consequence of losing the asset must be assessed. Is the consequence of losing the service the product provides? Is it losing the output of the product? Or can the business no longer operate if the product is lost or has a reduced capability? It could be that there is a single point of failure, such as a bank that has all its data submitted into the building through one cable. This means that the manhole the cable goes through, the cable itself and the room the cable runs into have to be treated as vital security points.
To mitigate this, the data could be divided into two cables, perhaps coming from different sides of the building. Alternatively, there could be a second room with a second cable coming in from a different supplier. Another solution might be to install two generators – one on the north side of the building and the other on the south side. When either side experiences a problem, such as a fire, the other generator will continue supporting the business function. Separation and diversity reduce risk, as losing one method allows for defaulting to the other.
Risk can also be offset by ensuring the ability to recover the situation quickly. The product could be hardened or placed behind thicker walls, burglar bars or impenetrable doors. The risk can also simply be removed by exporting it away from the business. A priceless piece of artwork, for example, may be at risk displayed in a company’s foyer. An assessment should be made on whether the original artwork is needed for this purpose. If it is too valuable, the use of a replica could be beneficial, confidentially moving the original to a safer location.
Risk can also be offset by supporting the product with an additional version. Many companies in London have a secondary building elsewhere that contains standby desks and computers in the event of a critical event occurring at their main site. In this case, critical members of staff that need to remain working are evacuated to the backup site.
When the asset is people and the risk is terrorist or marauding attacks, restrictions should be put in place in terms of the building structure itself and physical security barriers such as access control. Architects and security engineers work together to ensure the aesthetic nature of the building works in combination with risk mitigation, limiting unauthorised persons’ ability to move around freely. Security points are needed to prevent everyone in the building from being vulnerable to an unpredictable attack.
Personnel who have day-to-day interactions with clients and members of the public are more likely to be faced with abusive behaviour, which can be difficult to prosecute if the offending persons have left the scene. Therefore risk assessments also need to offer some level of mitigation to either reduce the risk of the offence or provide a greater risk to the offender of being caught and prosecuted.
How is the worth of a risk assessment proven?
At QCIC, our clients choose security risk assessments because they want to know where they are particularly vulnerable and how to mitigate those risks. Risk assessments account for the building itself, all businesses within and the surrounding environment. Ultimately a prescriptive approach to security mitigations and hardening using a blanket security template can be excessive and does not suit most scenarios. A thorough security risk assessment assists in focusing money in the correct places and allocating the right amount of effort where it is most needed.
The value of an appropriately designed risk assessment should be measured by the impact of loss. A bank’s network connection being down for an hour could result in millions being lost. This is similar to backup sites being reserved in case of an attack – though this is an expensive option, it pales in comparison to the potential loss. It is also vital for businesses that cannot afford downtime to have a backup generator for all IT systems and telephone networks. Notably, that generator then needs to be protected to the same standard that the incoming data or power source is.
How is the likelihood of attacks assessed?
After identifying assets, examining their vulnerabilities and the impact of their loss, historical threat scenarios and common crimes in the area need to be investigated. Subsequently, a likelihood assessment should be done. A scale of one to five is used, measuring from unlikely to possible, likely, highly likely and certain. Next, the consequences are scored, which is equally as important. A pencil lost in a library is inconsequential, whereas a staff member resigning after an attack could be a long-term problem in case more staff decide to follow. Thus a scale that rates different levels of consequence is required.
A catastrophic consequence score equates to a loss of life, permanent damage and possibly long-term recovery of the asset. Major means the situation might be recovered in approximately three months. Though seemingly mild, it is important to keep in mind that the business could be unable to trade for those three months or that staff could have suffered severe injuries that require recovery time. From there the rating scales down to reasonable incidents, mid-range incidents that are less consequential and then no consequence whatsoever.
Thus there is a scale of likelihood and a scale of impact, together forming a risk register. These numbers work together to calculate a tangible evaluation of risk. It is important to examine the client’s threshold to establish where the point is that this risk number becomes too high for them to afford. If the answer from the risk register equates to more than the level the client is comfortable with, security measures need to be actioned.
It is at this point that the security risk assessment has done its job – evaluating all risks, highlighting where likelihood and consequence are highest, and advising the client on appropriate applications, thus mitigating risk in the long term.
This article was previously published in Security Journal UK.